OpenCSPM is an open-source platform developed by Darkbit that aims to make continuous cloud security posture assessments of cloud environments a practical reality for security and compliance teams alike. It offers a unique approach to manage the firehose of security and compliance check results that can even modest AWS and GCP environments can surface, and its control definitions allow for simple yet powerful levels of introspection of its graph data model.
Why Did We Build OpenCSPM?
Performing cloud-native and Kubernetes security posture assessments is our laser-focus at Darkbit, and helping our customers at every stage of their journey manage appropriate levels of risk in their environments is what drives us. With every engagement, we learn more and more about what drives our customers and the contributing factors to their cloud security challenges. Overwhelmingly, the challenge is getting control of and keeping control of security risks in ever-growing and changing cloud environments. It’s just too much data, too often, and the surface area keeps expanding.
There are several SaaS offerings and open-source tools that focus in this space, but our perspective as a two-person consulting company made us see and feel a lot of our customers’ pain. It highlighted multiple areas that we wanted to address differently, and we felt the community could benefit from our lessons learned.
What Have We Seen?
You can’t manage what you can’t see. Without a complete inventory, you’re flying blind when it comes to cloud security posture management.
- Incomplete Collection Coverage - Many solutions don’t have the capability to collect the metadata from all available cloud resources. They tend to focus on the core types of compute, networking, database, and IAM service resources which means the results are by definition limited in completeness. What do you do if you use a service that your CSPM solution doesn’t even look at?
- Data Ownership - Many solutions are delivered as Software-as-a-Service (SaaS) and provide quick onboarding experiences, but they inherently are a third-party with account-wide or organization-wide “read-only/security audit” access to your cloud resources. This may present challenges with data ownership, compliance attestations of an external third party, and adherence to regional compliance mandates.
- Customization - Solutions can vary widely in their ability to make adjustments to how data is collected, how security checks are defined, how results are filtered/excluded and reported, and how and when teams are alerted for issues. Without full control over all aspects, you may end up with results and notifications that cannot be properly tuned, and this can lead to ignoring the tool and overall alert fatigue.
- Answering Complex Questions - All CSPM solutions can answer “Is this S3 Bucket Public?”, but very few of them can answer questions like “Are there any publicly accessible virtual machines with attached instance credentials that allow reading from S3 buckets tagged ‘sensitive’?” or “Which GKE Clusters have pods with access to escalate to ‘Project Owner’ via the attached Service Account?”
- Point-in-Time vs Continuous - A solution designed with tunable results tracking and results triage workflows across multiple assessment intervals in mind is a giant upgrade in value from running a tool every day and getting the report in your inbox.
- Unattainable Perfection - The concept of reaching “zero” failing checks is much like reaching “Inbox Zero”. If you can, it’s short-lived, but it may never be possible with certain requirements in place. Being able to calibrate the tool to your baseline instead of perfection is the only way to make the results stay meaningful and accurate. Having a list of failing issues delivered to your inbox every day that you know you can’t fix dilutes the value of those results by increasing the cognitive load and context required to make use of them.
- Focus on Compliance - Most security practitioners are aware of the differences between an environment that is only compliant with one that is compliant and also well hardened. Compliance is a key driver for obtaining project funding and being able to operate their business legally, but going no further than compliance still leaves you open to critical risks. Cloud security posture assessment tools don’t often cover both security best practices and compliance objectives equally.
Make answering the simple questions simple and answering even the most complex questions possible.
- Support for cloud providers, Kubernetes resources, and other related types of data types using a standardized approach - OpenCSPM is targeting AWS, GCP, and soon, Kubernetes resources, but adding other types of data like Identity mapping, container image vulnerability metadata, and more are on the roadmap. Resources are to be collected in a standardized JSON format using dedicated collection mechanisms and delivered to cloud storage buckets like GCS and/or S3.
- Separation of Collection from Analysis - Scanning/collecting and then analyzing the data from a single tool is convenient, but when deployed into a cloud account, it becomes quite the target for an attacker. Having processes with just enough permissions to collect the data and write to a bucket separate from the system that ingests/analyzes that data helps minimize that risk, but it also enables more flexible deployment scenarios for larger organizations with multiple teams, each with their own levels of access to the data.
- Advanced Data Model - Answering lots of complex questions of this inventory and configuration data requires parsing and storing the data with relationships intact. A graph database is best suited for this task, and it provides a window to this data that makes answering the simple questions simple and answering even the most complex questions possible.
- Campaigns as Workflows - When making the cost of checking thousands of settings across multiple accounts extremely cheap and quick, even small organizations will generate an overwhelming amount of results they have to manage. The most important results can be triaged and tracked in one or more “campaigns”, and this is the touchpoint where activities such as filtering and notifications can be handled. You should be in full control over what to care about and be notified on, not the system.
- Full control - A platform with this much potential capability and power should be in the hands of the teams that need to get work done. That means full control over where that system is deployed, its access model, and fine-grained control over what it checks and how it represents that data. The system should be open and transparent about what it’s doing. More importantly, you should be able to know what it’s not doing.
- Compliance Objectives and Tagging - It should be possible to associate controls with one or more compliance requirements with relative ease, and the user interface, filtering, and workflows should be driven from those tags. For example, filtering controls by “PCI”, “NIST 800-53”, or “CIS” should narrow down the list to the controls that align with those frameworks with an identical mechanism that can also be used to filter controls for “lateral movement” or “privilege escalation”.
Who Is OpenCSPM For?
Organizations looking for an open-source solution to help them gain more complete control over how cloud security posture data is collected, analyzed, measured, and handled on a continuous basis. For example:
- Security Teams looking for a way to identify cloud security risks and automatically track the progress down to a desired baseline across the entire organization.
- Compliance Teams looking for a more complete picture of adherence to and deviations from the various compliance frameworks and a way to measure and track those statistics over time.
- Development and Operations Teams looking for continuous and early feedback during greenfield infrastructure development to avoid surprises when Security or Compliance Teams review said infrastructure.
- Red Teams looking for common mistakes and trends in their organizations to help them devise more useful scenarios to run against their Blue Teams, and Blue Teams looking to be made aware when those common mistakes reoccur to be able to address them.
We Want Your Feedback
We’d love to hear your thoughts and get your feedback! We want to build this project to fit the needs of its users, and we want you to help us make it better for everyone.